IBM Corp.'s <http://ibm.com/db2/> DB2 Universal Database product is "a
large database server product commonly used for high end databases".
Multiple vulnerabilities have been found in IBM's DB2 Universal database
product.

This vulnerability specifically exists due to insufficient validation of
the length of attacker supplied data. When an attacker specifies a
specially crafted string via certain environment variables, the string is
copied into a static sized buffer stored on the stack. By supplying too
much data, an attacker can overflow the buffer and overwrite stack-stored
execution control structures resulting in arbitrary code execution.

Non-executable memory technology such as PaX, DEP, exec-shield, or other
NX or XD technology, can help prevent against exploitation of this type
vulnerability.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

These vulnerabilities exist due to the execution of binaries or loading of
libraries within untrusted paths. In each case, the path to a binary or
library is generated based on an environment variable that is under
attacker control. Additionally, the files to be executed or loaded are
located in a directory under attacker control.

In cases where programs are executed, an attacker need only create a
specially crafted environment and file structure. In cases where a library
is loaded, creating a library containing a specially crafted
initialization section is sufficient.

In order to exploit some of these vulnerabilities, the attacker must be a
member of the "db2grp1" or a group corresponding with an installed DB2
instance.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

This vulnerability exists due to insecure directory creation within
setuid-binaries included with DB2. While creating specific directory
structures, attacker created symbolic links will be followed. This allows
world-writable directories to be created anywhere on the file system.

In order to execute arbitrary code, an attacker could create a
world-writable locale directory. By creating a specially crafted localized
message file, the attacker can cause a format string of their choosing to
be passed to a function in the printf(3) family. Using known format string
exploitation techniques, an attacker can then execute arbitrary code as
root. This should not be considered the only way to gain root privileges
with this vulnerability. However, iDefense has confirmed this method in
lab tests.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. By setting certain
combinations of environment variables, an attacker is able to create or
append to arbitrary files on the system.

In at least one case, the attacker's umask will be honored when creating
files. In this case, the attacker could create world-writable root-owned
files anywhere on the system. By targeting specific system files, such as
/etc/ld.so.preload or various cron data file locations, an attacker could
execute arbitrary code with superuser privileges.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

Some DB2 binaries that are installed setuid-root will save event
information to a log file. When creating the full path to the destination
file, an environment variable is concatenated with "/tmp/". Since there is
no checking for path traversal strings, such as "../", within the
environment variable, an attacker is able to create arbitrary files on the
system.

It should be noted that attackers do not appear to have any control over
the contents of the data written. As such, privilege escalation can occur
in combination with a vulnerability that relies on the ability to create a
specially crafted file name. Denying service to the machine is trivial by
writing to /etc/nologin or corrupting other critical system files.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. In each case, a race
condition exists between a check to see if an existing file is a symbolic
link and modifying it. By quickly and repeatedly removing and recreating
the file as a symbolic link, an attacker could modify arbitrary files with
root privileges.

Depending on the specific vulnerability, the attacker may have little or
no control over the contents of data written to the file. In most cases,
this does not significantly impact exploitation since file permissions
allow the file to be written to by the attacker.

Detection:
iDefense confirmed the existence of these vulnerabilities in version 9.1
Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux
system. All prior versions, as well as builds for other UNIX-based
operating systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

Vendor response:
IBM Corp. has addressed these vulnerabilities by releasing V9 Fix Pack 3
and version V8 FixPak 15 of its Universal Database product. More
information can be found at the following URLs.

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.